Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Efficient E-coupon systems with strong user privacy

  • 303 Accesses

  • 5 Citations


We propose two novel e-coupon systems that can achieve the following new properties: (1) The coupon issuer (or service provider) can trace the identity of a dishonest user while the identity privacy (or anonymity) of a honest user is still well protected. (2) A honest user’s redemption privacy (i.e., the items chosen when redeeming an e-coupon) is well protected from the service provider. (3) If a dishonest user redeems an e-coupon for more than the pre-determined number of times, then the user will lose the redemption privacy (i.e., all the choices the user has made in the previous redemptions can be revealed). We first propose a novel blind signature scheme that we employ together with oblivious transfer to construct our first e-coupon system, which achieves the first two properties without the involvement of any trusted third party. Then we propose a novel oblivious transfer scheme and use it to construct the second e-coupon system that can achieve all the properties given above. We also define the formal security models for these new security requirements, and show that our new e-coupon systems are proven secure in the proposed models.

This is a preview of subscription content, log in to check access.


  1. 1.

    Aiello, W., Ishai, Y., & Reingold, O. (2001). Priced oblivious transfer: How to sell digital goods. In Advances in cryptology—EUROCRYPT 2001, international conference on the theory and application of cryptographic techniques (pp. 119–135), Innsbruck.

  2. 2.

    Bellare, M., & Goldreich, O. (1992). On defining proofs of knowledge. In Advances in Cryptology—CRYPTO ’92, 12th Annual international cryptology conference (pp. 390–420), Santa Barbara, CA.

  3. 3.

    Bellare, M., & Rogaway, P. (1993). Random oracles are practical: A paradigm for designing efficient protocols. In CCS’93, proceedings of the 2009 ACM conference on computer and communications security (pp. 62–73), Fairfax, VA.

  4. 4.

    Bellare, M., Namprempre, C., Pointcheval, D., et al. (2003). The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme. Journal of Cryptology, 16(3), 185–215.

  5. 5.

    Bellare, M., & Palacio A. (2004). The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In Advances in cryptology—CRYPTO, 24th annual international cryptology conference (pp. 273–289), Santa Barbara, CA.

  6. 6.

    Brands, S. (1993). Untraceable off-line cash in wallets with observers (extended abstract). In Advances in cryptology—CRYPTO ’93, 13th annual international cryptology conference (pp. 302–318), Santa Barbara, CA.

  7. 7.

    Brassard, G., Crépeau, C., & Robert, JM. (1986). All-or-nothing disclosure of secrets. In Advances in cryptology—CRYPTO ’86 (pp. 234–238), Santa Barbara, CA.

  8. 8.

    Camenisch, J., Dubovitskaya, M., & Neven G. (2009). Oblivious transfer with access control. In Proceedings of the 2009 ACM conference on computer and communications security (pp. 131–140), Chicago, IL.

  9. 9.

    Camenisch, J., Dubovitskaya, M., & Neven, G. (2010). Unlinkable priced oblivious transfer with rechargeable wallets. In 14th International conference on financial cryptography and data security, FC 2010 (pp. 66–81), Tenerife.

  10. 10.

    Camenisch, J., Neven, G., & Shelat, A. (2007). Simulatable adaptive oblivious transfer. In Advances in cryptology—EUROCRYPT 2007, 26th annual international conference on the theory and applications of cryptographic techniques (pp. 573–590), Barcelona.

  11. 11.

    Canard, S., Gouget, A., & Hufschmitt, E. (2006). A handy multi-coupon system. In ACNS (pp. 66–81).

  12. 12.

    Chaum, D. (1982). Blind signatures for untraceable payments. CRYPTO (pp. 199–203).

  13. 13.

    Chaum, D., Fiat, A., & Naor, M. (1988). Untraceable electronic cash. In Advances in cryptology—CRYPTO ’88, 8th annual international cryptology conference (pp. 319–327), Santa Barbara, CA.

  14. 14.

    Chen, L., Enzmann, M., Sadeghi, AR., et al. (2005). A privacy-protecting coupon system. In Financial cryptography (pp. 93–108).

  15. 15.

    Chu, C. K., & Tzeng, W. G. (2005). Efficient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries. In Public key cryptography (pp. 172–183).

  16. 16.

    Coull, SE., Green, M., & Hohenberger S. (2009). Controlling access to an oblivious database using stateful anonymous credentials. In Public key cryptography—PKC 2009, 12th international conference on practice and theory in public key cryptography (pp. 501–520), Irvine, CA.

  17. 17.

    Even, S., Goldreich, O., & Lempel, A. (1985). A randomized protocol for signing contracts. Communications of the ACM, 28(6), 637–647.

  18. 18.

    Guo, P., Wang, J., Li, B., & Lee, S. (2014). A variable threshold-value authentication architecture for wireless mesh networks. Journal of Internet Technology, 15(6), 929–936.

  19. 19.

    Han, J. G., Susilo, W., Mu, Y., et al. (2012). Efficient oblivious transfers with access control. Computers & Mathematics with Applications, 63(4), 827–837.

  20. 20.

    Juels, A., Luby, M., & Ostrovsky, R. (1997). Security of blind digital signatures (extended abstract). In CRYPTO (pp. 150–164).

  21. 21.

    Kilian,  J. (1988). Founding cryptography on oblivious transfer. In Proceedings of the 20th annual ACM symposium on theory of computing (pp. 20–31).

  22. 22.

    Liao, L., & Shu, C. (2015). Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels. Journal of Visual Communication and Image Representation, 28(4), 21–27.

  23. 23.

    Liu, W., Mu, Y., & Yang, G. M. (2014). An efficient privacy-preserving e-coupon system. In Information security and cryptology—10th international conference (pp. 1–13), Beijing.

  24. 24.

    Ma, X., Xu, L., & Zhang, F. G. (2011). Oblivious transfer with timed-release receiver’s privacy. Journal of Systems and Software, 84(3), 460–464.

  25. 25.

    Mu, Y., Nguyen, K. Q., & Varadharajan, V. (2001). A fair electronic cash scheme. In ISEC 2001, topics in electronic commerce, second international symposium (pp. 20–32), Hong Kong.

  26. 26.

    Mu, Y., Zhang, J. Q., & Varadharajan, V. (2002). m out of n oblivious transfer. In ACISP 2002, 7th Australian conference on information security and privacy (pp. 395–405), Melbourne.

  27. 27.

    Naor, M., & Pinkas, B. (2005). Computationally secure oblivious transfer. Journal of Cryptology, 18(1), 1–35.

  28. 28.

    Naor, M., & Pinkas, B. (1999). Oblivious transfer with adaptive queries. In Advances in cryptology—CRYPTO ’99, 19th annual international cryptology conference (pp. 573–590).

  29. 29.

    Nguyen, L., & Safavi-Naini, R. (2005). k-times anonymous authentication. In Applied cryptography and network security—ACNS 2005, third international conference (pp. 318–333).

  30. 30.

    Nguyen, L. (2006). Privacy-protecting coupon system revisited. In Financial cryptography (pp. 266–280).

  31. 31.

    Teranishi, I., Furukawa, J., & Sako, K. (2004). k-times anonymous authentication (extended abstract). In Advances in cryptology—ASIACRYPT 2004, 10th international conference on the theory and application of cryptology and information security (pp. 308–322).

  32. 32.

    Pointcheval, D., & Stern, J. (1996). Security proofs for signature schemes. In Advances in cryptology—EUROCRYPT ’96, international conference on the theory and application of cryptographic techniques (pp. 387–398), Saragossa.

  33. 33.

    Rabin, M. O. (1981). How to exchnge secrets by oblivious transfer. Technical Report, TR-81, Computer Science Laboratory, Harvard.

  34. 34.

    Schnorr, C. P. (1989). Efficient identification and signatures for smart cards. In Advances in cryptology—CRYPTO ’89, 9th annual international cryptology conference (pp. 239–252).

  35. 35.

    Stadler, M., Piveteau, J. M., & Camenisch, J. (1995). Fair blind signatures. In EUROCRYPT (pp. 209–219).

  36. 36.

    Yao, A. C. C. (1986). How to generate and exchange secrets (extended abstract). In 27th annual symposium on foundations of computer science (pp. 162–167), Toronto.

Download references

Author information

Correspondence to Weiwei Liu.



We analyze the security of the proposed oblivious transfer scheme under half-simulation model [27] in this section.

Theorem 10

The proposed OTRRP scheme provides receiver’s privacy for honest receivers.


Suppose a honest receiver runs the OT protocol with the sender for k times. The sender could obtain k pairs of transcripts \(\{(A_1,B_1,f(B_1)),(A_2,B_2, f(B_2)),\ldots ,(A_k,B_k,f(B_k))\}\) such that \(A_1=g^{r_1x}h^{\alpha _1},A_2=g^{r_2x}h^{\alpha _2},\ldots ,A_k=g^{r_kx}h^{\alpha _k}\), where \(\alpha _1,\alpha _2,\ldots ,\alpha _k\in \{1,2,\ldots ,n\}\) are the user’s choice and \(r_1,r_2, \ldots ,r_k\in _R\mathbb {Z}_q^*\). Given \(B_j=g^{r_j},rpk=g^x\) for some random \(r_j\in \mathbb {Z}_q^*\), it is computation-infeasible to decide the masked value equals \(g^{r_jx}\) or a random value Z in \(G_q\), thus for any two transcripts \(A_j\) and \(A_i\) such that \(1\le i \ne j \le k\) from the user, they are computationally indistinguishable to the service provider as long as the DDH problem is hard in \(G_q\). \(\square \)


The proposed encryption scheme is semantic secure.


As can be seen in the proposed OT scheme, the cipertext is \(c_i=((rpk)^{k_i},m_i(A_i/h^i)^{k_i})\) where \(k_i\in _R\mathbb {Z}_q\), for \(1\le i\le n\). The proposed encryption scheme in our OT scheme is a variant of ElGamal encryption. Therefore the encryption scheme is semantic secure. \(\square \)

Theorem 11

The proposed OTRRP scheme provides sender’s privacy.


Suppose a honest receiver runs the OT protocol with the sender k times. For any probabilistic polynomial-time malicious receiver \(\hat{U}\) in the real-world model, we are able to construct a probabilistic polynomial-time malicious receiver \(\hat{U}^*\) in the ideal model such that the outputs of \(\hat{U}\) and \(\hat{U}^*\) are indistinguishable. \(\square \)

Briefly, the ideal-world cheating receiver \(\hat{U}^*\) can extract \(\alpha \) from the proof of knowledge. This enables him to obtain the message \(m_\alpha \) form the TTP. \(\hat{U}^*\) simulates the honest sender S in the real-world and interacts with \(\hat{U}\) as follows:

  1. 1.

    S sends \(m_1,m_2,\ldots ,m_n\) to the trusted third party TTP.

  2. 2.

    \(\hat{U}^*\) sends \(c_1^*,c_2^*,\ldots ,c_n^*\) to TTP such that \(c_i^*\in _R G_q\) for \(i=1,2,\ldots ,n\).

  3. 3.

    \(\hat{U}^*\) monitors the outputs \(A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\) of \(\hat{U}\), \(\hat{U}^*\) chooses \(A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,\) \(A_{\alpha _k}^*\in _R G_q\).

  4. 4.

    After \(\hat{U}\) runs \(Request \) protocol, if the verification of PoK fails, \(\hat{U}^*\) sends a value \(\alpha _i\notin \{1,2,\ldots ,n\}\) to TTP.

  5. 5.

    If the verification of PoK successes, \(\hat{U}^*\) extracts \(\hat{U}\)’s choice \(\alpha _i\) from the PoK and gets back \(c_{\sigma _1}^*,c_{\sigma _2}^*,\ldots ,c_{\sigma _k}^*\) such that \(c_{\sigma _i}^*\in _R G_q\) for \(i=1,2,\ldots ,k\).

  6. 6.

    If \(\hat{U}\) can compute \(g^{xr_{\alpha _i}}\), \(\hat{R}^*\) sends \(\alpha _i\) to TTP, TTP returns \(\frac{c_{\alpha _i,2}^*}{m_{\alpha _i}}\).

  7. 7.

    \(\hat{U}^*\) outputs \((A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,A_{\alpha _k}^*;c_1^*,c_2^*,\ldots ,c_n^*)\).

We can see from Theorem 10 and the Claim that \(\{A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\}\) and \(\{c_1,c_2,\ldots ,c_n\}\) are indistinguishable from random elements in \(G_q\). Therefore, no distinguishers can distinguish the outputs of \(\hat{U}\) and \(\hat{U}^\prime \) with a non-negligible probability.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Liu, W., Mu, Y., Yang, G. et al. Efficient E-coupon systems with strong user privacy. Telecommun Syst 64, 695–708 (2017). https://doi.org/10.1007/s11235-016-0201-3

Download citation


  • Privacy of purchase
  • Traceability
  • Unforgeability
  • Anonymity
  • Detection of misusing